The Office of Personnel Management is probably shelling out too much money for identity theft insurance for current and former federal employees compromised in the agency’s massive 2015 data breach, a government watchdog said Thursday.

Congress required the government to offer identity theft protection to victims of that hack, which exposed sensitive security clearance information about more than 20 million current and former federal employees and their families and to provide $5 million in identity theft insurance.

That level of coverage is “likely unnecessary,” however, “because claims paid rarely exceed a few thousand dollars,” according to the report from the Government Accountability Office.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Not only does that mean the government is likely paying too much for coverage; it also could distort the identity theft insurance market, raising prices for private companies and regular consumers, GAO said.

It could also mislead consumers about the value of identity theft insurance, the agency said.

Congress should give federal agencies more leeway in determining how much identity theft insurance they should provide to data breach victims on a case-by-case basis, the government auditor said.

The Office of Management and Budget should also do more analysis about whether providing identity theft services to data breach victims is worth the expense compared to cheaper alternatives, GAO said, and provide better guidance to agencies.

OMB should also explore ways to help agencies paying to insure the same person against identity theft for two separate breaches as OPM is currently doing, GAO said.

The OPM breach was widely viewed during the Obama administration as an intelligence-gathering mission by Chinese government-linked hackers rather than an operation aimed at profiting from people’s personal information.

There are no known, verified instances of OPM data being released to criminals.